Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SaaS management for MSPs: what identity teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Centralized visibility, automated provisioning and deprovisioning, usage analytics, and access reporting across tenants define SaaS management for managed service providers, according to Josys. The governance issue is less about console consolidation than about whether MSPs can enforce consistent identity controls without losing client-specific accountability.

NHIMG editorial — based on content published by Josys: Josys SaaS Management Platform: Transforming MSP Operations

Questions worth separating out

Q: How should MSPs govern SaaS access across multiple client tenants?

A: MSPs should treat SaaS access as a tenant-specific governance problem, not a single shared admin task.

Q: When does centralised SaaS management create more risk than it reduces?

A: It creates more risk when the platform concentrates control without preserving separation of duties, tenant boundaries, and client-specific policy.

Q: What should teams get wrong about automated deprovisioning in SaaS environments?

A: The common mistake is assuming that automation equals complete offboarding.

Practitioner guidance

  • Map delegated administration boundaries Document which tenant actions the MSP can take centrally, which require customer approval, and which must remain client-owned.
  • Audit provisioning and deprovisioning workflows Test the full joiner-mover-leaver path for each application class, including removal of stale entitlements, subscription cleanup, and revocation of administrator roles when a contract or tenant relationship changes.
  • Tie usage analytics to access review decisions Use application utilisation and inactivity signals to prioritise certification reviews, but require an owner to validate business need before removal.

What's in the full article

Josys' full blog covers the operational detail this post intentionally leaves for the source:

  • A walkthrough of the centralized SaaS dashboard and multi-tenant client directory used for day-to-day administration.
  • Details on automated provisioning, usage analytics, and integration capabilities for MSP workflows.
  • Examples of how the platform supports compliance reporting and access reviews across multiple tenants.
  • A customer case study reference showing how real-time alerts and audit logs were used in practice.

👉 Read Josys' analysis of SaaS management for MSP operations →

SaaS management for MSPs: what identity teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Centralised SaaS management is now an identity governance problem, not just an MSP efficiency problem. The article presents consolidation as an operations story, but the deeper issue is that MSPs are becoming cross-tenant identity brokers. Once a provider manages access, subscriptions, and policy enforcement in one place, the security question becomes how governance remains tenant-specific under a shared operating model. The practitioner conclusion is that centralisation only works when accountability stays local to each customer environment.

A few things that frame the scale:

  • 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
  • Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

A question worth separating out:

Q: How do access reviews work in multi-tenant MSP operations?

A: Access reviews should combine usage evidence, business ownership, and tenant context. A user or service account that is inactive in one client environment may still be valid in another, so reviewers need per-tenant data and a clear approval chain. Reviews are effective only when they lead to actual entitlement change.

👉 Read our full editorial: Josys and SaaS management for MSPs: identity governance implications



   
ReplyQuote
Share: